Found a clue: email field is empty in log. via docker logs 484cf4df1cb6 -f:
06:13:04.095 request_id=FzvvplCseLcqC_oAAIAi [info] GET /auth/keycloak
06:13:04.096 request_id=FzvvplCseLcqC_oAAIAi [info] Sent 302 in 1ms
06:13:09.124 request_id=Fzvvp3xo0QnnfHQAAIBC [info] GET /auth/keycloak/callback
06:13:09.185 request_id=Fzvvp3xo0QnnfHQAAIBC [warning] Unable to login user "" {:error, {:valid_email, true}}
06:13:09.185 request_id=Fzvvp3xo0QnnfHQAAIBC [info] Sent 302 in 61ms
[repeats]
A similar Mobilizon-keycloak configuration to ours (as in https://docs.joinmobilizon.org/administration/configure/auth/) is reported to be working, and passing email address: https://framagit.org/framasoft/mobilizon/-/issues/1105 so maybe our account records are missing the email address field which would cause this error? (My email address in Mastodon account settings is listed as "change@me-cel-openid_connect.com" and I can't change it; I could not determine if that address was a default from Mastodon or Keycloak or elsewhere). Mobilizon identifies/authenticates the user by (relying on) the email address field provided by the auth server (Keycloak).
Found a clue: email field is empty in log. via `docker logs 484cf4df1cb6 -f`:
```
06:13:04.095 request_id=FzvvplCseLcqC_oAAIAi [info] GET /auth/keycloak
06:13:04.096 request_id=FzvvplCseLcqC_oAAIAi [info] Sent 302 in 1ms
06:13:09.124 request_id=Fzvvp3xo0QnnfHQAAIBC [info] GET /auth/keycloak/callback
06:13:09.185 request_id=Fzvvp3xo0QnnfHQAAIBC [warning] Unable to login user "" {:error, {:valid_email, true}}
06:13:09.185 request_id=Fzvvp3xo0QnnfHQAAIBC [info] Sent 302 in 61ms
[repeats]
```
https://framagit.org/framasoft/mobilizon/-/blob/283581b97fe20b12bf3e86b5635791b343c13957/lib/web/controllers/auth_controller.ex#L78
A similar Mobilizon-keycloak configuration to ours (as in https://docs.joinmobilizon.org/administration/configure/auth/) is reported to be working, and passing email address: https://framagit.org/framasoft/mobilizon/-/issues/1105 so maybe our account records are missing the email address field which would cause this error? (My email address in Mastodon account settings is listed as "change@me-cel-openid_connect.com" and I can't change it; I could not determine if that address was a default from Mastodon or Keycloak or elsewhere). Mobilizon identifies/authenticates the user by (relying on) the email address field provided by the auth server (Keycloak).
Corresponding issue on Mobilizon issue tracker opened: https://framagit.org/framasoft/mobilizon/-/issues/1253 (Redirect loop on Error with Login Provider)
The wiki main page now notes this about the Mobilizon instance (events calendar):
"signup requires setting an account email address in our account console first"
This could be improved by putting on a separate page of info for (new) account-holders.
There could be a security consideration here that Mobilizon uses the email address field to authenticate the account, while the user could set any email address in the Keycloak Account Management console, without confirmation. It should be checked that the email addresses in Keycloak must be unique so that a user cannot impersonate another by using their same email address. It might be better if Mobilizon could authenticate the user by username or user id (UUID)? Mobilizon itself doesn't closely tie the account to a username, as it allows the user to create and delete multiple (federated) "identities" (usernames).
The upstream issue stays open; I suppose it can be fixed in Mobilizon; if needed another issue could be opened on Keycloak. I don't know if any configuration changes here could prevent this redirect loop, except perhaps to intercept the endpoint(s) to handle the error in a separate application (or in nginx config).
After setting an email address on my account in Keycloak's account management console (https://login.woodbine.nyc/realms/basement/account/) I can log in to Mobilizon successfully via Keycloak.
The wiki main page now notes this about the Mobilizon instance (events calendar):
"signup requires setting an account email address in our [account console](https://login.woodbine.nyc/realms/basement/account/) first"
This could be improved by putting on a separate page of info for (new) account-holders.
There could be a security consideration here that Mobilizon uses the email address field to authenticate the account, while the user could set any email address in the Keycloak Account Management console, without confirmation. It should be checked that the email addresses in Keycloak must be unique so that a user cannot impersonate another by using their same email address. It might be better if Mobilizon could authenticate the user by username or user id (UUID)? Mobilizon itself doesn't closely tie the account to a username, as it allows the user to create and delete multiple (federated) "identities" (usernames).
The upstream issue stays open; I suppose it can be fixed in Mobilizon; if needed another issue could be opened on Keycloak. I don't know if any configuration changes here could prevent this redirect loop, except perhaps to intercept the endpoint(s) to handle the error in a separate application (or in nginx config).
As mentioned in https://basement.woodbine.nyc/s/meeting-17_2023-01-11#Web-infrastructure
HTTP redirect loop results; as seen in attached screenshot.
I tried re-adding the 302 for /login, but that isnt working either
Found a clue: email field is empty in log. via
docker logs 484cf4df1cb6 -f:283581b97f/lib/web/controllers/auth_controller.ex (L78)A similar Mobilizon-keycloak configuration to ours (as in https://docs.joinmobilizon.org/administration/configure/auth/) is reported to be working, and passing email address: https://framagit.org/framasoft/mobilizon/-/issues/1105 so maybe our account records are missing the email address field which would cause this error? (My email address in Mastodon account settings is listed as "change@me-cel-openid_connect.com" and I can't change it; I could not determine if that address was a default from Mastodon or Keycloak or elsewhere). Mobilizon identifies/authenticates the user by (relying on) the email address field provided by the auth server (Keycloak).
Corresponding issue on Mobilizon issue tracker opened: https://framagit.org/framasoft/mobilizon/-/issues/1253 (Redirect loop on Error with Login Provider)
After setting an email address on my account in Keycloak's account management console (https://login.woodbine.nyc/realms/basement/account/) I can log in to Mobilizon successfully via Keycloak.
The wiki main page now notes this about the Mobilizon instance (events calendar):
"signup requires setting an account email address in our account console first"
This could be improved by putting on a separate page of info for (new) account-holders.
There could be a security consideration here that Mobilizon uses the email address field to authenticate the account, while the user could set any email address in the Keycloak Account Management console, without confirmation. It should be checked that the email addresses in Keycloak must be unique so that a user cannot impersonate another by using their same email address. It might be better if Mobilizon could authenticate the user by username or user id (UUID)? Mobilizon itself doesn't closely tie the account to a username, as it allows the user to create and delete multiple (federated) "identities" (usernames).
The upstream issue stays open; I suppose it can be fixed in Mobilizon; if needed another issue could be opened on Keycloak. I don't know if any configuration changes here could prevent this redirect loop, except perhaps to intercept the endpoint(s) to handle the error in a separate application (or in nginx config).